6.261 UNIFIED_AUDIT_TRAIL

When unified auditing is enabled in Oracle Database, the audit records are populated in this new audit trail.

This view displays audit records in tabular form by retrieving the audit records from the audit trail.

Note:

This view is populated only in an Oracle Database where unified auditing is enabled.

Column Datatype NULL Description

AUDIT_TYPE

VARCHAR2(64)

Type of auditing:

  • Database Vault

  • Datapump

  • Direct path API

  • FineGrainedAudit

  • KACL_AUDIT

  • Label Security

  • Protocol

  • RMAN_AUDIT

  • Standard

  • XS

SESSIONID

NUMBER

Audit session identifier

PROXY_SESSIONID

NUMBER

Audit session identifier of proxying session

OS_USERNAME

VARCHAR2(128)

Name of the operating system user for the database session

USERHOST

VARCHAR2(128)

Name of the host machine from which the session was spawned

TERMINAL

VARCHAR2(30)

The operating system terminal of the user session

INSTANCE_ID

NUMBER

Instance number as specified in the initialization parameter file, init.ora

DBID

NUMBER

Database identifier of the audited database

AUTHENTICATION_TYPE

VARCHAR2(1024)

Authentication information for the session user

See: "AUTHENTICATION_TYPE Description"

DBUSERNAME

VARCHAR2(128)

Database user name of the user whose actions were audited

DBPROXY_USERNAME

VARCHAR2(128)

Proxying user name, in the case of proxy authentication

EXTERNAL_USERID

VARCHAR2(1024)

External user name, in the case of network or external authentication

For OCI IAM users, the user OCID (Oracle Cloud Identifier)

GLOBAL_USERID

VARCHAR2(32)

For a user logged in as an enterprise user, the global user identifier for the user

For OCI IAM users, the value of this column is null

CLIENT_PROGRAM_NAME

VARCHAR2(48)

Name of the program used for the database session

DBLINK_INFO

VARCHAR2(4000)

Value of SYS_CONTEXT('USERENV','DBLINK_INFO'). Valid if the connection was via a database link.

XS_USER_NAME

VARCHAR2(128)

Name of the Real Application Security user

XS_SESSIONID

RAW(33)

Identifer of the Real Application Security session

ENTRY_ID

NUMBER

Numeric ID for each audit trail entry in the session

STATEMENT_ID

NUMBER

Numeric ID for each statement run (a statement may cause many actions)

EVENT_TIMESTAMP

TIMESTAMP(6)

Timestamp of the creation of the audit trail entry in the local time zone

EVENT_TIMESTAMP_UTC

TIMESTAMP(6)

 

Timestamp of the creation of the audit trail entry in UTC (Coordinated Universal Time)

ACTION_NAME

VARCHAR2(64)

Name of the action executed by the user. The name should be read in conjunction with the AUDIT_TYPE to understand the real action.

RETURN_CODE

NUMBER

Oracle error code generated by the action. Zero if the action succeeded

OS_PROCESS

VARCHAR2(16)

Operating system process identifier of the Oracle database process

TRANSACTION_ID

RAW(8)

Transaction identifier of the transaction in which the object is modified

SCN

NUMBER

System change number (SCN) of the creation of the audit trail entry

EXECUTION_ID

VARCHAR2(64)

Execution context identifier for each action

OBJECT_SCHEMA

VARCHAR2(128)

Schema name of object affected by the action

OBJECT_NAME

VARCHAR2(128)

Name of the object affected by the action

SQL_TEXT

CLOB

SQL associated with the event

SQL_BINDS

CLOB

List of bind variables, if any, associated with SQL_TEXT

APPLICATION_CONTEXTS

VARCHAR2(4000)

Semicolon-seperated list of Application Context Namespace, Attribute, Value information in (APPCTX_NSPACE,APPCTX_ATTRIBUTE=<value>) format

CLIENT_IDENTIFIER

VARCHAR2(64)

Client identifier in each Oracle session

NEW_SCHEMA

VARCHAR2(128)

The schema of the object named in the NEW_NAME column

NEW_NAME

VARCHAR2(128)

New name of object after RENAME, or name of underlying object (for example, CREATE INDEX owner.obj_name ON new_owner.new_name)

OBJECT_EDITION

VARCHAR2(128)

Name of the edition containing the audited object

SYSTEM_PRIVILEGE_USED

VARCHAR2(1024)

Comma-separated list of system privileges used to execute the action

SYSTEM_PRIVILEGE

VARCHAR2(40)

System privilege granted/revoked by a GRANT/REVOKE statement

AUDIT_OPTION

VARCHAR2(40)

AUDIT/NOAUDIT SQL command

OBJECT_PRIVILEGES

VARCHAR2(35)

Object privileges granted/revoked by a GRANT/REVOKE statement

ROLE

VARCHAR2(128)

Roles granted or revoked or set by GRANT/REVOKE/SET ROLE command

TARGET_USER

VARCHAR2(128)

User on whom the GRANT/REVOKE/AUDIT/NOAUDIT statement was executed

EXCLUDED_USER

VARCHAR2(128)

User who was excluded when the AUDIT/NOAUDIT statement was executed

EXCLUDED_SCHEMA

VARCHAR2(128)

Displays the schema of the excluded objects

EXCLUDED_OBJECT

VARCHAR2(128)

Displays object excluded from the action

CURRENT_USER

VARCHAR2(128)

Effective user for the statement execution

ADDITIONAL_INFO

VARCHAR2(4000)

Text comment on the audit trail entry, if any

UNIFIED_AUDIT_POLICIES

VARCHAR2(4000)

Lists the audit policies that caused the current audit record. For example, if SELECT ON SCOTT.EMP was configured from policy SCOTT_EMP_POL, for the SELECT event this column will display SCOTT_EMP_POL.

If more than one policy was configured, the list of policies that caused the event to be recorded in the audit trail are displayed in a comma-separated list.

This column has a NULL value for mandatory audit records. See Oracle Database Security Guide for information on activities that are mandatorily audited.

FGA_POLICY_NAME

VARCHAR2(128)

Fine-grained auditing (FGA) policy name that generated this FGA audit record

XS_INACTIVITY_TIMEOUT

NUMBER

Inactivity timeout of the Real Application Security session

XS_ENTITY_TYPE

VARCHAR2(32)

Type of the Real Application Security entity. Possible values are USER, ROLE, ROLESET, SECURITYCLASS, ACL, DATASECURITY, and NSTEMPLATE.

XS_TARGET_PRINCIPAL_NAME

VARCHAR2(128)

Target principal name in Real Application Security operations. Possible operations are set verifier, set password, add proxy, remove proxy, switch user, assign user, create session,and grant roles.

XS_PROXY_USER_NAME

VARCHAR2(128)

Name of the Real Application Security proxy user

XS_DATASEC_POLICY_NAME

VARCHAR2(128)

Name of the Real Application Security data security policy enabled or disabled

XS_SCHEMA_NAME

VARCHAR2(128)

Name of the schema in enable, disable data security policy and global callback operation

XS_CALLBACK_EVENT_TYPE

VARCHAR2(32)

Real Application Security global callback event type

XS_PACKAGE_NAME

VARCHAR2(128)

Real Application Security callback package name for the global callback

XS_PROCEDURE_NAME

VARCHAR2(128)

Real Application Security callback procedure name for the global callback

XS_ENABLED_ROLE

VARCHAR2(128)

The role that is enabled

XS_COOKIE

VARCHAR2(1024)

Real Application Security session cookie

XS_NS_NAME

VARCHAR2(128)

Name of the Real Application Security session namespace

XS_NS_ATTRIBUTE

VARCHAR2(4000)

Name of the Real Application Security session namespace attribute

XS_NS_ATTRIBUTE_OLD_VAL

VARCHAR2(4000)

The old value of the Real Application Security session namespace attribute

XS_NS_ATTRIBUTE_NEW_VAL

VARCHAR2(4000)

The new value of the Real Application Security session namespace

DV_ACTION_CODE

NUMBER

Numeric action type code for Database Vault

DV_ACTION_NAME

VARCHAR2(30)

Name of the action whose numeric code appears in the DV_ACTION_CODE column

DV_EXTENDED_ACTION_CODE

NUMBER

Numeric action type code for Database Vault administration

DV_GRANTEE

VARCHAR2(128)

Name of the user whose Database Vault authorization was modified

DV_RETURN_CODE

NUMBER

Database Vault specific error code

DV_ACTION_OBJECT_NAME

VARCHAR2(128)

The unique name of the Database Vault object that was modified

DV_RULE_SET_NAME

VARCHAR2(128)

The unique name of the rule set that was executing and caused the audit event to trigger

DV_COMMENT

VARCHAR2(4000)

Text comment on the audit trail entry, providing more information about the statement audited

DV_FACTOR_CONTEXT

VARCHAR2(4000)

An XML document that contains all of the factor identifiers for the current session at the point when the audit event was triggered

DV_OBJECT_STATUS

VARCHAR2(1)

Indicates whether a particular Database Vault object is enabled or disabled. For example, if a Database Vault administrator enables or disables a realm, then this event will be audited and the DV_OBJECT_STATUS value will show the status of the realm after the event occurred. Possible values for this column are:

  • Y - The object is enabled

  • N - The object is disabled

OLS_POLICY_NAME

VARCHAR2(128)

Name of the Oracle Label Security (OLS) policy for which this audit record is generated

OLS_GRANTEE

VARCHAR2(1024)

Name of the user whose OLS authorization was modified

OLS_MAX_READ_LABEL

VARCHAR2(4000)

Maximum read label assigned to a user

OLS_MAX_WRITE_LABEL

VARCHAR2(4000)

Maximum write label assigned to a user

OLS_MIN_WRITE_LABEL

VARCHAR2(4000)

Minimum write label assigned to a user

OLS_PRIVILEGES_GRANTED

VARCHAR2(128)

OLS privileges assigned to a user or a trusted stored procedure

OLS_PROGRAM_UNIT_NAME

VARCHAR2(128)

Name of the trusted stored procedure whose authorization was modified or was executed

OLS_PRIVILEGES_USED

VARCHAR2(128)

OLS privileges used for an event

OLS_STRING_LABEL

VARCHAR2(4000)

String representation of the OLS label

OLS_LABEL_COMPONENT_TYPE

VARCHAR2(12)

Type of the OLS label component

OLS_LABEL_COMPONENT_NAME

VARCHAR2(30)

Name of the OLS label component

OLS_PARENT_GROUP_NAME

VARCHAR2(30)

Name of the parent of the OLS group

OLS_OLD_VALUE

VARCHAR2(4000)

Old value for OLS ALTER events

OLS_NEW_VALUE

VARCHAR2(4000)

New value for OLS ALTER events

RMAN_SESSION_RECID

NUMBER

RMAN session identifier. Together with RMAN_SESSION_STAMP uniquely identifies an RMAN job (note that this is not same as user session ID; the value is a recid in controlfile that identifies RMAN job)

RMAN_SESSION_STAMP

NUMBER

Timestamp for the session

RMAN_OPERATION

VARCHAR2(20)

The RMAN operation executed by the job. One row will be added for each distinct operation within an RMAN session. For example, a backup job would contain BACKUP in the RMAN_OPERATION column.

RMAN_OBJECT_TYPE

VARCHAR2(20)

Type of objects involved for backup or restore/recover or change/delete/crosscheck commands.

It contains one of the following values. If RMAN command does not satisfy one of them, then preference is given in order, from top to bottom of the list:

  • DB FULL

  • RECVR AREA

  • DB INCR

  • DATAFILE FULL

  • DATAFILE INCR

  • ARCHIVELOG

  • CONTROLFILE

  • SPFILE

RMAN_DEVICE_TYPE

VARCHAR2(5)

Device involved in the RMAN job. It may be DISK or SBT_TAPE or * (An * indicates that more than one location is involved).

For a backup job, it will be the output device type. For other commands (such as restore or crosscheck), it will be the input device type.

DP_TEXT_PARAMETERS1

VARCHAR2(512)

Parameters during a Data Pump operation that have a text/string value. This may contain the values for:

  • ACCESS METHODS

  • DATA OPTIONS

  • DUMPER DIRECTORY

  • JOB_TYPE

  • JOB VERSION

  • MASTER TABLE

  • METADATA_JOB_MODE

  • PARTITION OPTIONS

  • REMOTE LINK

  • TABLE EXISTS

For descriptions and more information about the settings that can appear for these Data Pump text parameters, see Table 6-2.

DP_BOOLEAN_PARAMETERS1

VARCHAR2(512)

Parameters during a Data Pump operation that have a boolean value. This may contain the values for:

  • DATA_ONLY - Boolean value for whether or not the operation processed data only (as opposed to metadata only, or metadata and data combined)

  • DUMPFILE_PRESENT - Denotes whether a dump file exists. Typically, it indicates whether a network export in which no dumpfile is required.

  • JOB_RESTARTED - Boolean that indicates if the export or import job had to be restarted

  • MASTER_ONLY - Indicates whether the import job imported just the master table and then stopped the job so that the contents of the master table can be examined

  • METADATA_ONLY - Boolean value for whether or not the operation processed metadata only (as opposed to data only, or metadata and data combined)

DIRECT_PATH_NUM_COLUMNS_LOADED

NUMBER

Shows the number of columns that were loaded using the SQL*Loader direct path load method

RLS_INFO

CLOB

Stores virtual private database (VPD) policy names and predicates separated by delimiter.

To format the output into individual rows, use the DBMS_AUDIT_UTIL.DECODE_RLS_INFO_ATRAIL_UNI function.

KSACL_USER_NAME

VARCHAR2(128)

The connecting user name

The value in this column is meaningful only when the UNIFIED_AUDIT_TRAIL.RETURN_CODE is 46981, which is the denial-of-service (DoS) error code.

KSACL_SERVICE_NAME

VARCHAR2(512)

The target database service name

The value in this column is meaningful only when the UNIFIED_AUDIT_TRAIL.RETURN_CODE is 46981, which is the denial-of-service (DoS) error code.

KSACL_SOURCE_LOCATION

VARCHAR2(48)

The source location of the initiating connection

The value in this column is meaningful only when the UNIFIED_AUDIT_TRAIL.RETURN_CODE is 46981, which is the denial-of-service (DoS) error code.

PROTOCOL_SESSION_ID

NUMBER

 

Oracle XML DB session ID

The PROTOCOL_* columns in this view are meaningful when auditing Oracle XML DB protocol (HTTP or FTP) messages.

You can use this column to identify audit records from the same Oracle XML DB session.

PROTOCOL_RETURN_CODE

NUMBER

 

Return code for the Oracle XML DB protocol request

This value is logged in the audit records for both the reply message containing the return code and its corresponding request message.

For HTTP requests, a return code of 200 (OKAY) or 304 (NOT-MODIFIED) is considered successful, and a return code of 207 means the reply may have multiple components with separate return codes. All other HTTP return codes are considered unsuccessful.

PROTOCOL_ACTION_NAME

VARCHAR2(32)

 

Indicates the protocol and method for the Oracle XML DB protocol message

This value is of the form protocol-method.

Possible values for protocol are HTTP or FTP.

Examples: HTTP-GET and FTP-RETR.

Note that the HTTP GET and HEAD methods are both logged as HTTP-GET.

Unrecognized methods are logged as HTTP-UNKNOWN or FTP-UNKNOWN.

PROTOCOL_USERHOST

VARCHAR2(128)

 

IP address of the client

PROTOCOL_MESSAGE

VARCHAR2(4000)

 

Text of the Oracle XML DB protocol message

SOURCEFoot 1

VARCHAR2(8)

 

Source of the audit record:

  • FILE - Refers to records from the operating system spillover files in each database instance

  • DATABASE - Refers to records from the AUDSYS.AUD$UNIFIED table

Footnote 1 This column is available starting with Oracle Database release 19c, version 19.21.

Table 6-2 Data Pump Text Parameter Descriptions

Parameter Description

ACCESS METHOD

The method used to load the data. Settings can be:

  • AUTOMATIC: Enables Oracle Data Pump to determine the optimal load method

  • DIRECT_PATH : Uses the direct path API to pass the data to be loaded.

  • EXTERNAL_TABLE: Loads data using the external tables option.

  • CONVENTIONAL: Loads the data using SQL INSERT statements

DATA OPTIONS

Indicates how certain types of data were handled during import operations. Settings are in bit-mask format, which are as follows:

  • 1 (SKIP_CONSTRAINT_ERRORS): Specifies that the import operation proceeded even if non-deferred constraint violations were encountered.

  • 8 (DISABLE_APPEND_HINT): The import operation did not use the APPEND hint while loading a data object.

  • 16 (REJECT_ROWS_WITH_REPL_CHAR): Warnings are issued when the replacement character may be used and an option was added to reject data rows where the replacement character was used during a Data Pump import. This situation can occur if different character sets are used for the export/import process

DUMPER DIRECTORY

Not in use

JOB_TYPE

Is either EXPORT or IMPORT

JOB VERSION

Specifies the version of database objects that were imported

MASTER TABLE

Indicates the name of the master table. By default, it appears as follows for export operations:

schema_name.SYS_EXPORT_TABLE_n

For import operations, it appears as follows:

schema_name.SYS_IMPORT_TABLE_n

The n represents a numeric value of 01. If 01 is in use, the number is incremented with 02, 03, and so on.

METADATA_JOB_MODE

Type of export or import operation. For example a table export would be TABLE_EXPORT

PARTITION OPTIONS

Indicates how table partitions were created during an import operation. Settings can be:

  • NONE: The tables were created as they existed on the system from which the export operation was performed.

  • DEPARTITION: Each partition or subpartition was promoted to a new individual table.

  • MERGE: All partitions and subpartitions were merged into one table

REMOTE LINK

Indicates that the export was performed from a (source) database identified by a valid database link. The data from the source database instance was written to a dump file set on the connected database instance.

TABLE EXISTS

Indicates the action that was taken on an import operation when the target table already existed. The values are as follows:

  • REPLACE

  • TRUNCATE

  • SKIP

  • APPEND

AUTHENTICATION_TYPE Description

The AUTHENTICATION_TYPE column of UNIFIED_AUDIT_TRAIL displays authentication information for the session user.

The value of this column is a string with the following syntax:

(TYPE=(auth_string));(CLIENT ADDRESS=((PROTOCOL=protocol)(HOST=client_ip_address)(PORT=client_port_number)));[(LOGON_INFO=((VERIFIER=%s-%s)(CLIENT_CAPABILITIES=%s));]
  • (TYPE=(auth_string));

    Indicates the type of authentication for the session user.

    Possible values for auth_string:

    • DATABASE - Username/password authentication
    • DIRECTORY PASSWORD - Directory-based user authentication
    • NETWORK SERVICE - Authentication was performed by Oracle Net Services or strong authentication
    • OS - Operating system external user authentication
    • PROXY - OCI proxy connection authentication
  • (CLIENT ADDRESS=((PROTOCOL=protocol)(HOST=client_ip_address)(PORT=client_port_number)));

    Displays the protocol used by the client, such as ipc, sdp, tcp, or tcps, the client IP address, and the client port number.

  • (LOGON_INFO=((VERIFIER=version-rollover_state)(CLIENT_CAPABILITIES=capability_list));

    This syntax is displayed only if authentication was completed during gradual database password rollover.

    The value of VERIFIER comprises the following two values, separated by a hyphen:

    • version - Indicates the password version (11G or 12C)

    • rollover_state - Indicates whether the user was authenticated with the OLD password or the NEW password

    For CLIENT_CAPABILITIES, the value of capabilitiy_list is a comma-separated list of one or more of the following client capabilities: O5L_NP, O7L_MR, or O8L_LI. See Oracle Database Net Services Reference for more information about client capabilities.

See Also: